For the last four years the Open Source Memory Forensics Workshop (OMFW) has hosted a collective who’s who of memory forensics and provided a forum in which to discuss the latest advances and tools, namely Volatility. Thanks to Aaron Walters I was able to attend this year. 

The first thing I noticed is the lack of vendors and people.  The conference is by invite only and is limited to just 50 attendees.    It’s a refreshing approach, really.  Though I’m the first to take advantage of the chance to mingle and network at more traditional conferences, this format allowed me to sit back and focus on one thing – learning.    There was a nominal registration fee with all proceeds going to the National Center for Missing and Exploited Children

The presentations, dubbed “lightning sessions” were fast and furious.  30 minutes each.  I think that high speed low drag is the best way I can describe them.   The speakers were a virtual who’s who of memory forensics.  Volatility contributors Jamie Levy, Andrew Case, and Michael Hale Ligh (author of the Malware Analysts Cookbook) were among the presenters as was George Garner of Windows DD fame.  I enjoyed the chance to talk with George about the state of Windows memory acquisition tools and how his tools deal with some of the challenges.    I hope to evaluate his products soon. 

Topics at the conference included Android Memory Analysis, Malware in the Windows GUI Subsystem, Reconstructing the MBR and MFT from Memory and Analyzing Linus Rootkits with Volatility, Mining the PFN Database for Malware Artifacts, and others. Aaron Walters moderated the conference and discussed the latest developments in Volatility and provided a road map of things to come.   

I’ve been using Volatility for several years now.  I rely on it as my go to tool for memory analysis.  The blog and mailing list allow me to stay on top of new features and use scenarios.   The conference provided me an additional opportunity to broaden my horizon on memory forensics and to put faces to names.

Interested in learning more about memory forensics?  Unable to attend this year’s OMFW? Visit the Volatility Labs blog to follow the latest in all things Volatility and to download copies of this year’s presentations.    Then, visit the code repository site to download the latest release of the Volatility Framework.  New to volatility?  Check out the introduction page.  Need some memory samples to practice with?  Yes, those are there too.

Comments are closed.